I have a vmware vSphere ESXi 6.5 server with a few VM’s. I want to get away from RoboForm and have on-premises Bitwarden.
I have zero experience with Docker. Since my server is home-lab equipment, I have limited resources. One of my VM’s is Windows 2012 R2. I have an email server, FTP server and a remote support server running on it. What would make more sense for my situation… Perform an in-place upgrade to Windows 2019 and add Docker & Bitwarden to this Windows VM or create a separate Linux VM just for Bitwarden? I’m wondering which scenario would use less memory and CPU and if there are other concerns that I’m not aware of.
Depending on your familiarity with Linux, I’d suggest building a Ubuntu 18.04 VM. You don’t need Docker experience for this. The docker container’s IP address is the same as the VM’s address, so pretend Docker isn’t involved. BitWarden becomes a glorified app.
The Linux VM won’t use much overhead. The BitWarden docker containers do use some resources.
To host BitWarden (BW) on your own network, you generally have two options for access:
create an internal certificate for BW. Install that certificate (or if you have a certificate authority on your network already) on your client machines. Then, use a VPN to access passwords when you’re outside your network, say on your mobile devices; or
set up a reverse proxy to expose your BW server to the internet. Get Lets Encrypt to issue a certificate to you. Then, you don’t need VPN access into your network to reach your BW server from outside the network.
I chose #2. It was a pain to get set up, but it was very cool to see the BW page when I was done.
My setup is pfSense firewall, with the HAProxy package installed and configured. I built a Ubuntu VM for the Docker containers. This all runs on VMware ESXi 6.7.
@ndemarco - Thanks!
I worked for hours trying to get BW working on Win2019. I was able to get it installed (at least the script said it was successful) but I got a bunch of errors that certain files could not be accessed during the install so I just deleted the VM
I already have a Linux VM running a LAMP stack with a NGINX reverse-proxy and a Windows VM running a separate web app that includes it’s own web server. My physical gateway has a web applications firewall that acts as a reverse-proxy and I use NAT rules for none HTTP/HTTPS traffic.
By no means am I proficient with Linux but I have installed a few Linux distros so I will try BW on Linux. Please elaborate on why you need a reverse-proxy in front of BW and why would one need HAProxy.
Good luck with the project.
The reverse proxy would be necessary if you have a home lab with one IP address, and multiple web services you want to expose to the internet using URLs. The reverse will forward http/s traffic with the address http://passwords.homelab.com first to a TLS connection, then to your internal server 192.168.100.10:443 (or whatever your internal subnetting is).
If you also want to host a website out of your home IP, you’d add multiple Nginx location blocks, one for each URL-to-server pair you intend to host.
Nginx is a fantastic reverse proxy server for this. I use HAProxy because it’s an installable package within the pfSense firewall, and because it has a UI. I’m not a full on DevOps or SysAdmin. I can like a UI.
This guide helped me get it installed. I had trouble getting Letsencrypt’s certbot working properly behind my reverse proxy firewall, but eventually I got a cert to issue and now all is working well, at least until 60 days when the cert must be renewed!